When you start to support DNSSEC, you are suddenly supposed to manage the keys used to sign the domain. This is a typical task for a security officer. Typical concerns are to conceal the private keys from outside-world prying eyes, and to avoid losing keys as long as the outside world needs them to trust […]

This instruction explains how to setup DNSSEC validation with the BIND resolver for DNS. A companion article on Unbound also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used BIND 9.7.1-P2 on Debian Linux. Variations should work; there even is a prebuilt […]

This instruction explains how to setup DNSSEC validation with the Unbound resolver for DNS. A companion article on BIND also exists. Note that Unbound has been written for security from the ground up, and carries less history than BIND. Install. We used Unbound 1.4.5 on Debian Linux. Variations should work; there is even a prebuilt […]

Before you start using the root trust anchor, it is very important to verify it. ICANN has specified several methods for doing this. We relied on the PGP signature made by one of the trusted community representatives, Olaf Kolkman of NLnet Labs. Again, please make sure that you validate the trust anchor before you start […]

Today was a big milestone in the deployment of DNSSEC on the Internet with the signing of the root zone. For system administrators of recursive caching name servers – or as they are colloquially known, resolvers – this is good news. For the first time ever, they can configure a trust anchor for the root […]

DNSSEC introduces a signature hierarchy on grounds of domain ownership. This means that first-contact situations can be validated under domains; powerful examples are SSH fingerprints, X.509 and OpenPGP certificates, and contact information, all of which can be specified in dedicated DNS records.

If any design principle has been leading our architectural work around resilience for DNSSEC, it has been idempotence. It is one of those algebraic concepts that really helps to beat sense into a complex set of choices. Idempotence means that doing the same thing twice is no different from doing it once. Painting orange on […]

In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]

Introduction A big part of the security of our infrastructure is determined by the access control we enforce on all the components that form the DNSSEC signer infrastructure. Access control is important on several levels: Network level Access to machines and user privileges on these machines Access to sensitive data on the signer HSM roles […]